packages/linux-sgx
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

backport openssl CVE-2022-0778 and CVE-2022-1292, protobuf CVE-2021-22570

Browse Source
This commit is contained in:
w00559322 2022-06-27 16:06:02 +08:00
parent 9d9f04edd0
commit b41d37c851
6 changed files with 328 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

25
adapt-openssl-CVE.patch Normal file
View File

@ -0,0 +1,25 @@
From d13f8cbc7ec066b04cbe13ef6bf14b2b085fbc35 Mon Sep 17 00:00:00 2001
From: houmingyong <houmingyong@huawei.com>
Date: Sun, 5 Jun 2022 14:44:37 +0800
Subject: [PATCH] decompress openssl sourece before build
---
.../intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh | 2 --
1 file changed, 2 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
index 7d77b79..43745b8 100755
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/Linux/build_openssl.sh
@@ -54,8 +54,6 @@ mkdir -p $SGXSSL_ROOT/package/lib64/
# build openssl modules, clean previous openssl dir if it exist
cd $SGXSSL_ROOT/../openssl_source || exit 1
-rm -rf $OPENSSL_VERSION
-tar xvf $OPENSSL_VERSION.tar.gz || exit 1
# Remove AESBS to support only AESNI and VPAES
sed -i '/BSAES_ASM/d' $OPENSSL_VERSION/Configure
--
2.23.0

75
backport-CVE-2021-22570.patch Normal file
View File

@ -0,0 +1,75 @@
From 77fd494f2acfd6b08f888f342ca721e3f0809b52 Mon Sep 17 00:00:00 2001
From: wangxiaochao <wangxiaochao2@huawei.com>
Date: Fri, 18 Mar 2022 14:46:35 +0800
Subject: [PATCH] fix CVE-2021-22570
Conflict:NA
Reference:https://gitee.com/src-openeuler/protobuf/pulls/64/files
Signed-off-by: wangxiaochao <wangxiaochao2@huawei.com>
---
.../src/google/protobuf/descriptor.cc | 20 +++++++++++++++++++
1 file changed, 20 insertions(+)
diff --git a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
index 8998e1b..e6f7ec2 100644
--- a/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
+++ b/external/protobuf/protobuf_code/src/google/protobuf/descriptor.cc
@@ -2626,6 +2626,8 @@ void Descriptor::DebugString(int depth, std::string* contents,
const Descriptor::ReservedRange* range = reserved_range(i);
if (range->end == range->start + 1) {
strings::SubstituteAndAppend(contents, "$0, ", range->start);
+ } else if (range->end > FieldDescriptor::kMaxNumber) {
+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
} else {
strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
range->end - 1);
@@ -2829,6 +2831,8 @@ void EnumDescriptor::DebugString(
const EnumDescriptor::ReservedRange* range = reserved_range(i);
if (range->end == range->start) {
strings::SubstituteAndAppend(contents, "$0, ", range->start);
+ } else if (range->end == INT_MAX) {
+ strings::SubstituteAndAppend(contents, "$0 to max, ", range->start);
} else {
strings::SubstituteAndAppend(contents, "$0 to $1, ", range->start,
range->end);
@@ -4019,6 +4023,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
// Use its file as the parent instead.
if (parent == nullptr) parent = file_;
+ if (full_name.find('\0') != std::string::npos) {
+ AddError(full_name, proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + full_name + "\" contains null character.");
+ return false;
+ }
if (tables_->AddSymbol(full_name, symbol)) {
if (!file_tables_->AddAliasUnderParent(parent, name, symbol)) {
// This is only possible if there was already an error adding something of
@@ -4059,6 +4068,11 @@ bool DescriptorBuilder::AddSymbol(const std::string& full_name,
void DescriptorBuilder::AddPackage(const std::string& name,
const Message& proto,
const FileDescriptor* file) {
+ if (name.find('\0') != std::string::npos) {
+ AddError(name, proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + name + "\" contains null character.");
+ return;
+ }
if (tables_->AddSymbol(name, Symbol(file))) {
// Success. Also add parent package, if any.
std::string::size_type dot_pos = name.find_last_of('.');
@@ -4372,6 +4386,12 @@ FileDescriptor* DescriptorBuilder::BuildFileImpl(
}
result->pool_ = pool_;
+ if (result->name().find('\0') != std::string::npos) {
+ AddError(result->name(), proto, DescriptorPool::ErrorCollector::NAME,
+ "\"" + result->name() + "\" contains null character.");
+ return nullptr;
+ }
+
// Add to tables.
if (!tables_->AddFile(result)) {
AddError(proto.name(), proto, DescriptorPool::ErrorCollector::OTHER,
--
2.23.0

72
backport-CVE-2022-0778.patch Normal file
View File

@ -0,0 +1,72 @@
From 4382b4d9446c34d29b12dedf6b93f35215b9dd3b Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:21 +0100
Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt()
The calculation in some cases does not finish for non-prime p.
This fixes CVE-2022-0778.
Based on patch by David Benjamin <davidben@google.com>.
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3118eb64934499d93db3230748a452351d1d9a65
Conflict: NA
---
.../openssl-1.1.1l/crypto/bn/bn_sqrt.c | 30 +++++++++++--------
1 file changed, 18 insertions(+), 12 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
index 1723d5d..53b0f55 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/crypto/bn/bn_sqrt.c
@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
/*
* Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks
* algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number
- * Theory", algorithm 1.5.1). 'p' must be prime!
+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or
+ * an incorrect "result" will be returned.
*/
{
BIGNUM *ret = in;
@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx)
goto vrfy;
}
- /* find smallest i such that b^(2^i) = 1 */
- i = 1;
- if (!BN_mod_sqr(t, b, p, ctx))
- goto end;
- while (!BN_is_one(t)) {
- i++;
- if (i == e) {
- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
- goto end;
+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */
+ for (i = 1; i < e; i++) {
+ if (i == 1) {
+ if (!BN_mod_sqr(t, b, p, ctx))
+ goto end;
+
+ } else {
+ if (!BN_mod_mul(t, t, t, p, ctx))
+ goto end;
}
- if (!BN_mod_mul(t, t, t, p, ctx))
- goto end;
+ if (BN_is_one(t))
+ break;
+ }
+ /* If not found, a is not a square or p is not prime. */
+ if (i >= e) {
+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE);
+ goto end;
}
/* t := y^2^(e - i - 1) */
--
2.23.0

61
backport-CVE-2022-0778_test.patch Normal file
View File

@ -0,0 +1,61 @@
From 6ec7f406d2141b78508b5df91597a61de2ac38ed Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Mon, 28 Feb 2022 18:26:35 +0100
Subject: [PATCH] Add a negative testcase for BN_mod_sqrt
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference: https://github.com/openssl/openssl/commit/3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0
Conflict: NA
---
.../openssl_source/openssl-1.1.1l/test/bntest.c | 11 ++++++++++-
.../test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++
2 files changed, 22 insertions(+), 1 deletion(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
index 236501e..08c60a2 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/bntest.c
@@ -1685,8 +1685,17 @@ static int file_modsqrt(STANZA *s)
|| !TEST_ptr(ret2 = BN_new()))
goto err;
+ if (BN_is_negative(mod_sqrt)) {
+ /* A negative testcase */
+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx)))
+ goto err;
+
+ st = 1;
+ goto err;
+ }
+
/* There are two possible answers. */
- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx))
+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx))
|| !TEST_true(BN_sub(ret2, p, ret)))
goto err;
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
index 5ea4d03..e28cc6b 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/test/recipes/10-test_bn_data/bnmod.txt
@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186
A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81
P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
+
+# Negative testcases for BN_mod_sqrt()
+
+# This one triggers an infinite loop with unfixed implementation
+# It should just fail.
+ModSqrt = -1
+A = 20a7ee
+P = 460201
+
+ModSqrt = -1
+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed
+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f
--
2.23.0

80
backport-CVE-2022-1292.patch Normal file
View File

@ -0,0 +1,80 @@
From 9b495e8d9028ca893019c5b176d913051ea925ac Mon Sep 17 00:00:00 2001
From: Tomas Mraz <tomas@openssl.org>
Date: Tue, 26 Apr 2022 12:40:24 +0200
Subject: [PATCH] c_rehash: Do not use shell to invoke openssl
Except on VMS where it is safe.
This fixes CVE-2022-1292.
Reviewed-by: Matthias St. Pierre <Matthias.St.Pierre@ncp-e.com>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reference:https://git.openssl.org/gitweb/?p=openssl.git;a=patch;h=e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23
Conflict:NA
---
.../openssl-1.1.1l/tools/c_rehash.in | 29 ++++++++++++++++---
1 file changed, 25 insertions(+), 4 deletions(-)
diff --git a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
index fa7c6c9..83c1cc8 100644
--- a/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
+++ b/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source/openssl-1.1.1l/tools/c_rehash.in
@@ -152,6 +152,23 @@ sub check_file {
return ($is_cert, $is_crl);
}
+sub compute_hash {
+ my $fh;
+ if ( $^O eq "VMS" ) {
+ # VMS uses the open through shell
+ # The file names are safe there and list form is unsupported
+ if (!open($fh, "-|", join(' ', @_))) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ } else {
+ if (!open($fh, "-|", @_)) {
+ print STDERR "Cannot compute hash on '$fname'\n";
+ return;
+ }
+ }
+ return (<$fh>, <$fh>);
+}
# Link a certificate to its subject name hash value, each hash is of
# the form <hash>.<n> where n is an integer. If the hash value already exists
@@ -161,10 +178,12 @@ sub check_file {
sub link_hash_cert {
my $fname = $_[0];
- $fname =~ s/\"/\\\"/g;
- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`;
+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
@@ -202,10 +221,12 @@ sub link_hash_cert {
sub link_hash_crl {
my $fname = $_[0];
- $fname =~ s/'/'\\''/g;
- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`;
+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash,
+ "-fingerprint", "-noout",
+ "-in", $fname);
chomp $hash;
chomp $fprint;
+ return if !$hash;
$fprint =~ s/^.*=//;
$fprint =~ tr/://d;
my $suffix = 0;
--
2.23.0

16
linux-sgx.spec
View File

@ -1,6 +1,6 @@
Name: linux-sgx
Version: 2.15.1
Release: 3
Release: 4
Summary: Intel(R) Software Guard Extensions for Linux* OS
ExclusiveArch: x86_64
License: BSD-3-Clause
@ -21,6 +21,11 @@ Source11: https://github.com/intel/intel-sgx-ssl/archive/refs/tags/intel-s
Patch0: 0001-disable-the-download-process-in-building.patch
Patch1: 0002-fix-building-error-for-systemd.patch
Patch2: add-secure-compilation-options.patch
Patch3: backport-CVE-2021-22570.patch
Patch4: backport-CVE-2022-0778.patch
Patch5: backport-CVE-2022-0778_test.patch
Patch6: backport-CVE-2022-1292.patch
Patch7: adapt-openssl-CVE.patch
BuildRequires: gcc-c++ protobuf-devel libtool ocaml-ocamlbuild openssl openssl-devel cmake python curl-devel createrepo_c git nasm
@ -261,11 +266,17 @@ Intel(R) Software Guard Extensions Basic Headers
%%setup -q -D -a 7 -n linux-sgx-sgx_%{version}/external/protobuf
%%setup -q -D -a 8 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteGeneration
%%setup -q -D -a 11 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/
%%setup -q -D -a 10 -n linux-sgx-sgx_%{version}/external/dcap_source/SGXDataCenterAttestationPrimitives-DCAP_1.12.1/QuoteVerification/intel-sgx-ssl-lin_2.15.1_1.1.1l/openssl_source
%%setup -q -D -a 9 -n linux-sgx-sgx_%{version}
%%patch0 -p1
%%patch1 -p1
%%patch2 -p1
%%patch3 -p1
%%patch4 -p1
%%patch5 -p1
%%patch6 -p1
%%patch7 -p1
%build
@ -1022,6 +1033,9 @@ fi
%files -n libsgx-headers -f %{LINUX_INSTALLER_RPM_DIR}/libsgx-headers/build/list-libsgx-headers
%changelog
* Mon Jun 27 2022 wangyu <wangyu283@huawei.com> - 2.15.1-4
- backport openssl CVE-2022-0778 and CVE-2022-1292, protobuf CVE-2021-22570
* Wed Jun 22 2022 zhengxiaoxiao <zhengxiaoxiao2@huawei.com> - 2.15.1-3
- sgx-aesm-service exclude /var/opt/aesmd/data